[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: [oss-security] CVE-2021-36090: Apache Commons Compress 1.0 to 1.20 denial of service vulnerability
From: Stefan Bodewig <bodewig () apache ! org>
Date: 2021-07-13 4:01:33
Message-ID: b713094b-a7d1-a7db-4ff9-3a1fe3523d6d () apache ! org
[Download RAW message or body]
Description:
When reading a specially crafted ZIP archive, Compress can be made to =
allocate large amounts of memory that finally leads to an out of memory =
error even for very small inputs. This could be used to mount a denial of =
service attack against services that use Compress' zip package.
Mitigation:
Commons Compress users should upgrade to 1.21 or later.
Credit:
This issue was discovered by OSS Fuzz.
References:
https://commons.apache.org/proper/commons-compress/security-reports.html
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic